• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Smarter malware... Less technical coding

95Viper

95Viper

Super Moderator
Staff member
Joined
Oct 12, 2008
Messages
12,667 (2.24/day)
How about malware that will peek at what might be monitoring for it, then hide or wait a few minutes run a portion of itself.
Wait, now run another portion. Oh, wait, and run some more.
Bam your infected!

Or, how about some malware that hides in your mouse routines, then waits for you to click a button or move the mouse, so it can run hidden in the mouse message routines.

Even better, how 'bout the malware that will recognize it is running in a VM or being searched for and stops itself from running; hide and waits until the the way is clear.

And, unless your A/V or whatever method you use is aware of this type of threat... you are infected.

Now a days, it doesn't take a technical genius to make it happen.

It is all explained in this article by the Symantec Security Response team, here -->Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems
And, a couple of quotes from the page:
For a long time, malware has been able to detect the environment it is running in and hide itself from automated threat analysis systems. The list below is the measures malware takes avoid being detected by dynamic analyzer systems:
Checks a certain registry entry and stops if it detects that it is running in a virtual environment.
Checks video and mouse drivers and stops if it detects that it is running in a virtual environment.
Enumerates the system service list and stops if it detects that it is running in a virtual environment.
Executes special assembler code and stops if it detects that it is running in a virtual environment.
Checks a certain communication port and stops if it detects that it is running in a virtual environment.
Checks a certain process name and stops if it detects that it is being monitored.

If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program. It is also able to stop itself if it discovers a certain process name and detects that someone is monitoring it. So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware
Click to expand...
In the past, malware authors used very difficult techniques to detect virtual environments. As such, they may have needed specialized skills, such as assembler code writing skills, knowledge of virtual machines, and knowledge of CPUs and memory management.

However, the techniques described in this blog are not technical and hence malware authors these days do not need technical skills to hide their creations from automated threat analysis systems. Furthermore, they are always researching and testing new ideas in order to fool automated threat analysis systems.
Click to expand...

Keep your guard up and compute safely.:)
 
Last edited:
SoF

SoF

New Member
Joined
Nov 27, 2008
Messages
28 (0.00/day)
Location
c:\windows
Good article!

These damn little suckers are really clever these days...

Still I will never get over the point why people with such coding skills are not doing something good instead beeing a pest for everyone.
 
M

mediasorcerer

New Member
Joined
Sep 15, 2011
Messages
978 (0.21/day)
Location
coast ,melbourne
System Specs
System Name THE MEDIAMACHINE
Processor i5-3570k
Motherboard Asus gene v z-77 matx.
Cooling Antec h20 620
Memory 2x4gb g.skill ripjaws z 2400
Video Card(s) h.i.s radeon 7950 reference 3 gb- hooray!!!
Storage samsung 128gb~830 ssd. samsung 500gb hdrive.
Display(s) 22 inch tele.
Case circa 1996 grey rat box with no sides front.until my own is finished
Audio Device(s) inbuilt creative.supreme effects 3
Power Supply thermaltake tt-500w
Software win 7 x64-
Benchmark Scores Coming soon
Theyre doing something good for the anti virus companies.
 
Aquinus

Aquinus

Resident Wat-man
Joined
Jan 28, 2012
Messages
13,147 (2.95/day)
Location
Concord, NH, USA
System Specs
System Name Apollo
Processor Intel Core i9 9880H
Motherboard Some proprietary Apple thing.
Memory 64GB DDR4-2667
Video Card(s) AMD Radeon Pro 5600M, 8GB HBM2
Storage 1TB Apple NVMe, 4TB External
Display(s) Laptop @ 3072x1920 + 2x LG 5k Ultrafine TB3 displays
Case MacBook Pro (16", 2019)
Audio Device(s) AirPods Pro, Sennheiser HD 380s w/ FIIO Alpen 2, or Logitech 2.1 Speakers
Power Supply 96w Power Adapter
Mouse Logitech MX Master 3
Keyboard Logitech G915, GL Clicky
Software MacOS 12.1
There is no bit of software that cannot be circumvented. It's a matter of taking the time to find out how to do it. Nothing is 100% fail-safe. This is true for everything. OS, DRM, Viruses/Malware, anything.
 
eidairaman1

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.59/day)
Location
Republic of Texas (True Patriot)
System Specs
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
mediasorcerer said:
Theyre doing something good for the anti virus companies.
Click to expand...

considering most Virual code comes from them anyways.

Tools that help

Spyware Blaster
Spybot Search and Destroy
Malware Bytes Anti Malware
Hijack This
Housecall
AdAware
Webroot Spysweeper
 
You must log in or register to reply here.
Top